• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Legion5

preventing about:blank

4 posts in this topic

Ok I know how about:blank is spread, there are essentialy 2 ways.

 

1. Is through the Overnet file sharing program, Overnet is Ad supported and even with the registered version there is half a second there where the add will show up. I use it mostley for abandoneware, as I am an enthrusiast of that but in anycase, the spammers hijack the adds and make them display a pop up window.

 

The window usualy displays some bogus javascript info, which anyone with half a mind could display (there is a great jpg image that displays your IP Address is in the image itself, but I unfortunatley I never saved the link, ilustrates this rather nicley).

 

It then goes on to say 99% chance you have spyware installed click here to remove!

 

Which it then links to its own spam pages.

 

2. The second way is from variouse sites that display pop up adds, which ever they be these spam "remove spyware" adds are also displayed here.

 

Besides this no other add supported program displays these adds, that I am aware of so if you got it, its from a remove spyware add.

 

-

 

about:blank deos 3 things that I know of, it changes your search start etc. pages, it instals a spam .css style sheet replacing the default internet explorer page about:blank. It then installs search.ex and a .dll who's name escapes me (feel free to correct me).

 

To remove it you have to do 3 things.

 

use HijackThis to remove the registry edits it made to change your start page etc.

 

use CWShreader to remove search.ex

 

use AdAware on MANUAL mode scanning every single file on your system (very lengthy espetialy if you have a large HDD .48 terabytes uncompressed on 2, 120gb hdd's (I run win2k Pro btw)), to remove the .dll which reinstalls it. It will also probably fix the rest of the registy hacks, these being 'possible browser hijacks' as classified by it.

 

-

 

Now my question is:

 

HOW DO I PREVEN IT FROM REINSTALLING!

 

I have been Hijacked by this most likley 20 or more times, how do I prevent it from re-installing and how deos it install.?

 

Former version of CW, CoolWebs Virus have installed through MS Virtual Machine(the default Java code plug-in by microsoft), according to the FAQ Sun Microsystems Java solves the problem, and has more secure code which prevents the virus code (or program if it can be called that) from installing, I have removed both java plug-ins as frankley they aren't used that often by websites, in any case how is it still intalling if it deos not exploit the Microsoft VM, non byte verifier Java plug-in?, and again how do I prevent it from re-installing/infecting?-

Share this post


Link to post
Share on other sites

Please download Hijack This into its own permanent directory (e.g. c:\HJT) and run it. Then post a copy of the Hijack This log on your next posting. There are different ways of getting rid of About:Blank depending on you OS and other factors.

 

The Fist

Share this post


Link to post
Share on other sites

Here is another solution for fixing the about:blank problem.

 

I fought with this virus for a week and a half. It might be a Win32MerstingB trojan. I believe it also contains variations of the CWS trojan too. Here are some useful sites and some information to help you get rid of it.

 

From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."

 

Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.

 

Aside from running the CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.

 

My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.

 

To see information about it, go to:

 

http://vic.zonelabs.com/body/CA/virusDetails.jsp?VId=39113

http://www3.ca.com/securityadvisor/virusin...s.aspx?id=39113

http://uk.trendmicro-europe.com/enterprise...me=TROJ_AGENT.A

 

For information on the Reg Start page, go to:

 

http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=28683

 

Trend micros removal too for this particular mofo is at:

 

https://beta.activeupdate.trendmicro.com/fi...gentv1.0007.zip

 

I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:

 

 

@echo off

rem Grant everyone full access to the file

echo y| cacls.exe %1 /g everyone:f

rem Access the file to trigger resident protection

type %1 > nul

rem Wait 10 seconds to allow system clean to run

delay 10

rem In case system clean didn't run, delete the file manually

del /q /f %1

 

Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.

 

I hope this will help everyone who went thru the nightmare I've gone thru too!!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0